As used herein a “threat” comprises malicious software, also known as “malware” or “pestware”, which comprises software that is included or inserted in a part of a processing system or processing systems for a harmful purpose. The term threat should be read to comprise possible, potential and actual threats. Types of malware can comprise, but are not limited to, malicious libraries, viruses, worms, Trojans, adware, malicious active content and denial of service attacks. In the case of invasion of privacy for the purposes of fraud or theft of identity, malicious software that passively observes the use of a computer is known as “spyware”.
An operating system (sometimes abbreviated as “OS”) is a program that, after being initially loaded into the processing system by a boot program, manages other programs in the processing system. The other programs are called applications or application programs. The application programs make use of the operating system by requesting services through a defined application program interface (API). In addition, users can interact directly with the operating system through a user interface such as a command language or a graphical user interface (GUI).
The Master Boot Record (MBR) is the first logical sector on a disk where the BIOS looks to load a program that boots the processing system.
The BIOS (b(asic) i(nput/)o(utput) s(ystem)) is a set of routines stored in read-only/flash memory that enable a computer to start the operating system and to communicate with the various devices in the system, such as disk drives, keyboard, monitor, printer, and communications ports.
A cryptographic hash function is a mathematical function that maps values from a large (or even very large) domain into a smaller range, and is a one-way function in that it is computationally infeasible to find any input which maps to any pre-specified output. Furthermore, the function is collision-free in that it is computationally infeasible to find any two distinct inputs which map to the same output.
A checksum is a digit representing the sum of the digits in an instance of digital data. The checksum can be used to check whether errors have occurred in transmission or storage.
Disassembly, in computer programming, is the result when machine code is translated back into assembly language. The term can also refer to the process of creating the disassembly, i.e. using and interacting with a disassembler.
An entity can comprise, but is not limited to, a file, an object, a class, a collection of grouped data, a library, a variable, a process, and/or a device.
Authors of malware have been seeking alternate methods to infect a processing system with malware which may not be easily detected using current malware detection practices. Methods that the author may use comprise, but are not limited to:                User mode API interception to conceal files, processes, registry entries and network connections;        Kernel mode API interception to conceal files, processes, registry entries and network connections;        Kernel mode modification of an Operating System's internal structures to conceal files, processes, registry entries and network connections; and        Modification of an Operating System's core files to conceal files, processes, registry entries and network connections.        
Conventional methods for detecting such malware comprise loading an anti-malware application from the operating system after the operating system has been loaded on the processing system. However, malware can be activated during the loading of the operating system, making it difficult for an operating system based anti-malware application to detect and remove such malware from the processing system.
Therefore, there exists a need for a method, system, computer readable medium of instructions, and/or a computer program product to detect malware that can be activated during the loading of an operating system which addresses or at least ameliorates problems inherent in the prior art.
There also exists a need for a method, system, computer readable medium of instructions, and/or a computer program product to disable malware that can be activated during the loading of an operating system of the processing system which addresses or at least ameliorates problems inherent in the prior art.
The reference in this specification to any prior publication (or information derived from it), or to any matter which is known, is not, and should not be taken as an acknowledgment or admission or any form of suggestion that that prior publication (or information derived from it) or known matter forms part of the common general knowledge in the field of endeavour to which this specification relates.